Drop DDOS attack1. Find.. to which IP address in the server is targeted by the ddos attack
netstat -plan | grep :80 | awk ‘{print $4}’ | cut -d: -f1 |sort |uniq -c2. Find… from which IPs, the attack is coming
netstat -plan | grep :80 | awk ‘{print $5}’ | cut -d: -f1 |sort |uniq -c3. Then find the TTL values of the attacking IP addresses
tcpdump -nn -vvv host xxxx |grep yyy (xxxx = ip attacking and yyyy = ip being attacked)usually we need only tcpdump -nn -vvv host xxxx (as attack is coming from numerous ips)
4. Now block all the ips matching the TTL value obtained from the above script
i
ptables -A INPUT -p tcp -s 0.0.0.0/0 -d yyyy -m ttl –ttl-eq=zzz -j DROP (zzz is the ttl value)——————————————————————————————————————-
Install mod security and dos evasive
——————————————————————————————————————-
Harden the sysctl parameters (kernel params) to mitigate the current attack.
Increasing the backlog queue size and decreasing the backlog queuing time might help a bit.
——————————————————————————————————————-
Also install an open source script to prevent DDoS attack to certain extend.
http://deflate.medialayer.com/MediaLayer was in need of a script to automatically mitigate (D)DoS attacks. The necessity started when MediaLayer was the target of a rather large, consistent attack originating from multiple IP addresses. Each IP would have a large amount of connections to the server, as shown as by:
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
It became a general practice for us to be blocking IPs with a large amount of connections, but we wanted to get this automated. Zaf created a script mitigate this kind of attack. We kept improving it to meet our own needs and eventually posted it on Defender Hosting’s Forum. (D)DoS-Deflate is now recognized as one of the best ways to block a (D)DoS attack at the software level.
===
